๐ณ Recipe ยท Licensing & Cost Optimization
Audit Microsoft 365 licenses: find inactive users, unassigned SKUs, and savings opportunities
Identify expensive licenses assigned to inactive accounts, surface unassigned SKUs, and produce a prioritized optimization plan with estimated monthly savings.
Complexity
Intermediate
Impact
cost-savings + license-optimization + reporting + quarterly-audit + finops
Context
Why This Matters
Microsoft 365 licensing is one of the largest recurring line items in most IT budgets, and license sprawl is easy to accumulate: departed employees whose accounts were never disabled, contractors who only needed access for a quarter, or bulk purchases that left unassigned SKUs sitting idle. Without a regular audit, organizations routinely pay for 10-25% more seats than they actually use.
This recipe walks through a repeatable audit that cross-references subscribed SKUs (what you own) against user sign-in activity (who actually uses it) to surface three categories of waste:
- Inactive licensed users โ accounts with expensive licenses (E3, E5, Visio, Project) that have not signed in for 90+ days.
- Unassigned SKUs โ purchased seats sitting idle in the tenant.
- Downgrade candidates โ users on E5 who only use E3-tier features (no Defender, no Power BI Pro, no phone system).
Run this quarterly, before renewal negotiations, or whenever Finance asks why the Microsoft bill keeps growing.
Expected Outcomes
After completing this recipe you will have:
- A complete inventory of subscribed SKUs with total/assigned/available counts.
- A list of inactive users (90+ days no sign-in) who currently hold paid licenses.
- A count of unassigned licenses per SKU and their monthly cost.
- An optimization plan identifying which licenses to reclaim, downgrade, or let lapse.
- An estimated monthly and annual savings figure to bring to Finance or your Microsoft account rep.
Risks & Considerations
Before you reclaim licenses
- Don't remove licenses from shared mailboxes or resource accounts. These legitimately have no sign-in activity but still need an Exchange license if over 50 GB or if litigation hold is applied.
- Check for service account exemptions. Break-glass accounts, automation identities, and hybrid sync accounts may show as inactive but must retain licensing.
- Removing an E5/E3 license purges mailbox data after 30 days. If the user is on leave, convert the mailbox to shared before unlicensing, or place on retention hold first.
- Guest (B2B) users do not consume licenses up to a 1:5 ratio โ don't count them as waste.
- signInActivity requires Azure AD P1 or higher. If you see null values everywhere, your tenant lacks the SKU to populate this field.
- Coordinate with HR before disabling accounts flagged as inactive โ an "inactive" user may simply be on parental leave.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| Organization.Read.All | List subscribed SKUs, their assigned/consumed unit counts, and service plans. |
| User.Read.All | Enumerate users and their assignedLicenses property to cross-reference with activity. |
| AuditLog.Read.All | Access the signInActivity property on the user object to determine last sign-in date. |
| Reports.Read.All | Pull per-service usage reports (Teams, OneDrive, Exchange, SharePoint) to spot users with a license but no actual product usage. |
The fastest way to get this done โ just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin